Server-Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to trick a server into making requests to unintended internal or external resources. Instead of communicating directly with a target system, the attacker abuses a vulnerable application to send requests on their behalf. Because the request originates from the trusted server, the attacker may gain access to resources that would normally be inaccessible.

Modern applications often retrieve content from external sources.

Common examples include:

• URL preview generators
• Image fetchers
• PDF generators
• Webhooks
• Third-party API integrations

A typical workflow might allow a user to submit a URL, which the server then fetches.

For example: https://example.com/fetch?url=https://website.com/image.png

If the application does not properly validate the URL, an attacker may provide a malicious destination instead.

The server will then unknowingly perform the request.

SSRF can allow attackers to access resources that are normally hidden from the internet.

Potential targets include:

• Internal APIs
• Private databases
• Cloud metadata services
• Internal dashboards
• Network devices
• Administrative interfaces

In many environments, internal systems trust requests originating from other internal servers.

This makes SSRF particularly dangerous.

Cloud Infrastructure Risks

Cloud environments are especially vulnerable to SSRF attacks.

Many cloud providers expose metadata endpoints that contain sensitive information about running services.

Examples include:

• Instance configuration
• IAM credentials
• Access tokens
• Network information

If an attacker can access these endpoints through SSRF, they may gain access to cloud resources beyond the vulnerable application itself.

Real-World Example

Imagine a website that generates previews for URLs submitted by users.

A normal request might look like: https://news.example.com/article

An attacker instead submits: http://internal-admin-panel.local

The application fetches the page and returns the contents.

The attacker now gains visibility into an internal system that should never have been exposed externally.

Common SSRF Targets

Attackers often attempt to access:

• Internal web applications
• Cloud metadata services
• Database administration panels
• Monitoring dashboards
• Kubernetes services
• Internal APIs
• Network devices

These systems may contain sensitive information or provide further access into the organization's infrastructure.

Server-Side Request Forgery was added as a dedicated category in the OWASP Top 10 because of its increasing prevalence in modern cloud-native applications.

As organizations adopt microservices, APIs, containers, and cloud platforms, SSRF has become a more significant security concern.